Archive for December 2010

To date Riskviews has featured discussions of issues relating to Risk Culture 27 times. While we talk about the Eight ERM Fundamentals, Culture is THE ERM FUNDAMENTAL.

While Standard & Poor’s uses this category to include a variety of practices including governance, disclosure and risk appetite, here we mean solely the manner that people outside of the risk management department are brought into the risk management process in a firm.

Decisions need to be made regarding who to get involved in doing and then who else to tell about the objectives and plans and activities of risk management in the firm.

Some companies do this on a need to know basis, involving only those who must get involved to make things work and only telling those who have an active role.

At the opposite extreme are firms who say that risk management is everyone’s job and who therefore work very hard to make sure that everyone understands everything that is going on.

The firms in the first group are focused on efficiency. Management usually believes that everyone must stay focused upon their own primary responsibilities. A select few are given responsibility for risk management activities and everyone else is kept out of the way. Knowledge of the risk management work in these firms is usually restricted to top management and line management only in the situations where the risk management efforts need to be integrated into the operational unit’s activities.

The firms in the second group believe that risk management is everyone’s job because crippling risks can take many forms, both currently known and unknown. And that these risks can emanate from any part of the firm. They do not believe that just because there has never been a large problem from one activity, that there never can be.

For the first type of firm, risk management culture means that risk management is one of those things that separates the cognoscenti from the rest of the firm. Risk management culture means keeping those in the know up to date on everything that is important about risk and risk management. Each one of the restricted group must take a major responsibility to join in this activity.

For the second type of firm. there will be a totally different type of activity supporting risk management culture. That will involve training sessions and informational newsletters. One firm holds an annual conference about risk management and allows anyone at the supervisory level and above in the firm to attend. Another firm puts an ERM related message on the intranet home page and changes that message at least once per week.

The second type of firm will welcome input from anyone to their ERM processes.

Fully 95%, 19 out of 20 of these bankruptcies are caused by business risks.

Meanwhile, risk managers in the insurance industry are off building risk management systems that assure that there is no more than a 1/200 chance of a loss large enough to cause a bankruptcy.

But Business Risk is not on the list of risks that are being considered in the Solvency II or Basel III regimes.

Fully 95% of US bankruptcies in 2010 were caused by business risks. Does that mean that we are building a system that assures that we are 99.5% safe from 5% of the risks?

Does this give risk managers a hint as to why top management may only want to devote a small amount of their attention to the management of those 5% risks?

Are top management spending their time paying attention to those pesky risks of Competition, Products and Resilience?

Risk Managers can and should address those risks as well. But rather than moving away from the risk management discipline, risk managers should be looking to see how the risk management processes can be of help with those risks.

Now, for the folks who think of risk management purely as a modeling exercize, this discussion is largely over. But if you see your risk management program as a management control system, then there is much for you to bring to help with these risks.

These risks can be handled like any of the Operational risks that are difficult to model. Key Risk indicators are identified and monitored. Triggers can be set to initiate actions. And actions taken to react to increasing indication of risks.

For the three big Business Risks that took down companies in 2010, there are particular concerns:

Competition – Business managers must move away from sports analogies. They make companies particularly at risk for this type of competition. In sports, the opposing team rarely starts playing a totally different game. The football team will not be opposed by a hockey club. But in business, there is often not anything to stop a competitor from starting to play a totally different game. Risk management needs to be built from te premise that there really are very few rules restricting competitors.

Product Risk – in many cases that largest source of product risk is a successful product. Especially a highly profitable successful product. Firms with such often find it extremely difficult to justify the cost and risk and low profitability of new products. The risk manager needs to consider addressing this risk from the point of view of revenue diversification. Concentrations are often the most profitable and the most risky in the long term.

Resilience – This comes closer to regular risk management territory. But often a major change in business volume either up or down is not a scenario that is factored into the risk model. Most often, the level of business activity is taken as a constant! How totally unrealistic is that? The level of business activity is definitely NOT constant and NOT predictable. It is at least as uncertain as any of the things that ARE being modeled. Risk models can be used to evaluate the impact of simultaneous changes in the level of business along with other adverse events. Perhaps it might make sense to also assume that if volumes are going up beyond a certain range, that selectivity might be going down. Or that if volumes are decreasing, that margins might be squeezed in addition to the expense squeeze because of competition for the lower amount of business.

Risk managers can bring something to the table for discussions of Business Risk. But it will take breaking out of their sometimes self imposed bounds.

So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself. Sun Tzu

“We focus on risk before we focus on return. The best investors do not target return. They focus first on risk.” Seth Klarman

Barings was always described as this wake up call that nobody would ever forget, but the fact is, only lip service was ever played to the fact that risk management needed to improve Nick Leeson (in 2009)

Information about causation, even if imperfect, is powerful. It is ignored in the frequentist approach at a great loss for the risk manager. Organizing one’s understanding about how the world might work into a coherent and tractable analytical probabilistic framework is not an easy task. Ricardo Rebonato

Fill your bowl to the brim and it will spill. Lao Tzu

The essential problem is that our models—both risk models and economic models—as complex as they have become, are still too simple to capture the full array of critical variables that govern global economic reality. Alan Greenspan

Economies are in greatest peril not when investors willfully take crazy financial risks but when no one seems to perceive risk and the need to insulate the economy from it. Nicole Gelinas

“What one does see, again and again, in the history of financial crises is that when an accident is waiting to happen, it eventually does.” Reinhart & Rogoff

Share this:

Like this:

A New York Times Magazine article on Jamie Dimon, now CEO of JP Morgan Chase Bank, tells that he once set a risk limit for Travelers…

Losses from a once in a hundred year storm could not exceed a quarter’s earnings.

For the quantifiable risks that banks and insurers have aplenty, that is exactly how a risk limit needs to read. It must state a frequency (once in a hundred or 1%) and a severity (one quarter’s earnings).

That sort of simple clarity seems to escape most financial firms. Probably that is because they have little experience with the frequency part of that statement.

Think of this analogy. You are sitting there in an office building deciding what to set as the speed limit for a new transportation system. That system has newly designed roads and vehicles. You do not know the tolerances of either the roads or the vehicles. You have been a passenger on test runs, but during that test, you were not shown the speeds that the vehicle was going.

What might make sense in that situation, would be for the person being asked to make the decisions on speed limits to be told what speed that they had been going on the long straight-aways, on the gradual curves, the sharp curves and how long it took to stop the vehicle at various speeds. In addition, more trips, more experience, should be undertaken and the speed of the vehicle should be noted under various weather conditions as well as types of roads.

Polls often reveal that the most common shortfall of ERM development is in the area of Risk Tolerance and Risk Appetite. In many cases, that shortfall is due to the inexperience of management and boards with the frequency information.

There is no shortcut to getting that experience. But there are simple exercizes that can be undertaken to look at prior experiences and tell the story of just how fast the firm was going and how severe the weather was.

The best such exercize is to look backwards in time over the recent past as well as to famously adverse periods in the more remote past. For each of those situations, the backwards looking frequency can be assigned. This is done by looking at the current risk model and determining the frequency that is aligned with the level of gains losses that were experienced in general. That frequency is analogous to the weather. Then the risk analyst can look at the firm’s own gain or loss experience and the frequency that the model could attribute to that size gain or loss.

Once a firm has some comfort with frequency, they can write a real risk appetite statement.

And after that, they can go through an exercize each year of deciding what frequency to assign to the experience of the year’s gains and losses.

But there is much for the new risk manager to do between the day when they are first given their charge (the call of ACTION) and the day when they must take their first ACTION.

Many new risk managers get completely caught up in the process of creating a risk management system and the idea of ACTION gets moved into some sort of bureaucratic haze. The risk management systems that are described in many textbooks and articles make it seem like ACTIONs will simply happen on their own if the system is all in place.

But any risk manager who has worked through the financial crisis or through any other major loss making crisis will tell you that the ACTIONs that take care of themselves through the system are only the easiest part of the ACTION that is really needed, that really adds value to the organization. The really difficult ACTIONs are the ones that are not so clearly indicated, or the ACTIONs that come after a long period of inaction.

Those actions include things like stopping the growth of a profitable risk, stopping writing a particular risk or even shrinking risk positions.

“Every great mistake has a halfway moment, a split second when it can be recalled and perhaps remedied.”
Pearl Buck

There is a time as well when it is too late for the ACTION. That is because it is usually in the late stages of a boom that the firm takes on the risks that end up making the largest losses.

And when the problem starts to become evident, it is usually much too expensive to lay off the risk positions. The best you can hope for is to stop growing the positions.

So there are times, during a boom, when the most important but most difficult ACTION for a risk manager to take is to stop the growth of an overheated risk.

But there are many other times when the risk manager can concentrate on inaction. Just letting the risk control system do its work.

We are pleased to announce the fourth global webinar on enterprise risk management. The programs are a mix of backward and forward looking subjects as our actuarial colleagues across the globe seek to develop the science and understanding of the factors that are likely to influence our business and professional environment in the future. The programs in each of the three regions are a mix of technical and qualitative dissertations dealing with subjects as diverse as regulatory reform, strategic and operational risks, on one hand, and the modeling on tail risks and implied volatility surfaces, on the other. For the first time, and in keeping with our desire to ensure a global exchange of information, each of the regional programs will have presentations from speakers from the other two regions on subjects that have particular relevance to their markets.
For more information and to register:http://www.soa.org/professional-development/event-calendar/event-detail/erm-economic/2011-01-12/default.aspx